Argus Global Banning Setup Overview
From PDP/Grid Wiki
Revision as of 13:59, 23 August 2013 by Msalle@nikhef.nl (talk | contribs)
Introduction
This page is a *DRAFT*. Furthermore, this page is not intended to give a full overview of how to install an Argus service, see instead https://twiki.cern.ch/twiki/bin/view/EGEE/ArgusEMIDeployment for information on general setup.
Architecture / Components
- Central wLCG instance
- for the purpose of this wiki an Argus PAP is sufficient (no PDP or PEPd)
- NGI Argus instance
- unless all its sites run an Argus, a full Argus (with PDP and PEPd) is needed.
- Site services
- Site either runs its own Argus, or defines local mapping rules combined with NGI-based banning.
Setup
Configuring a PAP
An Argus PAP can be configured using either the pap-admin cli tool, see https://twiki.cern.ch/twiki/bin/view/EGEE/AuthZPAPCLI or directly via the ini files pap_authorization.ini (for the ACL) and pap_configuration.ini (for setting remote PAPs), both located in etc/argus/pap.
For setting the policies, the pap-admin is the only option.
When using YAIM to configure Argus, it will be left without any policy.
Central wLCG Argus
- The Central wLCG Argus needs to be configured to have a policy which *only* bans (/deny entries) subjects and/or FQANs.
- In addition it needs to have an appropriate ACL which permits all the NGI Argus PAPs read access to its policy.
